Feature Improvements
* Updated LDAP documentation.
* Added note on DH parameters in eap.conf, and debugging messages which complain if DH is used, but not configured properly.
* Updated the Mikrotik dictionary. Added a note that the sample dictionary they supply is broken.
* Output more information on blocked threads, which should help narrow down which modules is causing the problem.
* Added more eDirectory support.
* rlm_ldap now prints out attributes in the standard format
* Enabled server-side handling of procedures in MySQL
Bug Fixes
* Added NT-Hash support for mschap_xlat.
* Corrected documentation to point to correct location of files.
* Checks for more recent FreeBSD versions.
* uses -DLDAP_DEPRECATED to avoid OpenLDAP crashes.
* Use correct value for authentication name in rlm_mschap.
* Fix over-ride for usernames when use_tunneled_reply = yes.
the owner of all installed files is a non-root user. This change
affects most packages that require special users or groups by making
them use the specified unprivileged user and group instead.
(1) Add two new variables PKG_GROUPS_VARS and PKG_USERS_VARS to
unprivileged.mk. These two variables are lists of other bmake
variables that define package-specific users and groups. Packages
that have user-settable variables for users and groups, e.g. apache
and APACHE_{USER,GROUP}, courier-mta and COURIER_{USER,GROUP},
etc., should list these variables in PKG_USERS_VARS and PKG_GROUPS_VARS
so that unprivileged.mk can know to set them to ${UNPRIVILEGED_USER}
and ${UNPRIVILEGED_GROUP}.
(2) Modify packages to use PKG_GROUPS_VARS and PKG_USERS_VARS.
Feature Improvements
* Added more dictionaries
Bug Fixes
* Corrected typo in rlm_pap.c (closes#440)
* Corrected typo in src/main/auth.c (closes#437)
* Suppress SSL error messages if error is zero. (closes#436)
* Don't complain about "Error in read client certificate A" if we expect to
read it in the next packet. Fix based on patch by Dan Lukes.
* Corrected nearly 30 bugs found by Coverity See also http://scan.coverity.com
* Don't die on HUP. Instead leak memory (sorry). After a few hundred HUP's, the
server will have leaked a few megabytes of memory, and you should probably
re-start it. It's ugly, but better than dying. (Closes#426)
* Corrected a few double free's
* Corrected typo in radrelay, which prevented it from working
* Made Firebird module build
* Fixed bug in PostgreSQL module that caused server crash.
* Fixed bug in SQL module that could cause server to crash.
2006.03.05 Version 1.1.5 has been released.
The focus of this release is stability.
Feature Improvements
* Added more dictionaries
* Dictionary files now MUST NOT be globally writable.
* Configuration files now MUST NOT be globally writable.
* Be more aggressive about freeing memory on clean exit.
* Updated rlm_python.
* Added another experimental SQL IP Pool module
Bug Fixes
* Corrected base64 decoding in rlm_pap
* Don't retransmit accounting packets. The NAS should do this.
* Handle Client-Error in EAP-SIM. (Closes#419)
* Port OpenSSL locking fixes from CVS head. This makes PEAP more stable on i
some systems.
* Require Message-Authenticator in Status-Server packets.
* Correct Tunnel-Medium-Type VALUEs in dictionary.rfc2868.
* Increase buffer size for dynamic expansion, which allows longer SQL queries.
(Closes#405)
* Use correct line number when there's a parse error in one of the
configuration sections. (Closes#421)
* Terminate SSL sessions in EAP on error, rather than continuing in some cases.
* Increase buffer size to allow parsing of long octet strings,
* Fix string termination on xlat in rlm_perl.
* Major enhancements to rlm_pap, that make "encryption_scheme"
a think of the past. See "man rlm_pap" for details.
* Added SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS flag to use
work-arounds that enable Windows Vista clients to work.
* Added preliminary code to support Firebird.
Use at your own risk!
* Send MS-CHAP2-Success, which makes EAP-TTLS/MSCHAP work on more
platforms.
* Add a new "reply-name" directive in rlm_sqlcounter to define the
name of the reply attribute.
* Added more dictionaries and attributes
* Print ntlm_auth failure reason in Module-Failure-Message
* radsqlrelay is able to get the DB password from a file instead
of command line.
Bug fixes
* Fix a parse error in the digest module, where malformed
digest requests would result in the user being accepted. Oops...
* VALUEs can only be defined for 'integer', to catch mistakes
with setting VALUEs for type 'string'.
* Better parsing of VALUE names, so that values starting with
a digit work correctly.
* Check return from malloc
* Fix a double free() in rlm_eap_tls.c
* Check return code of malloc() during initialization.
* Fix a corner case where the proxy port isn't set either in
radiusd.conf or in proxy.conf.
This version has been released to fix build issues in 1.1.2. The build
tools (autoconf, libtool, libltld) have been upgraded to a recent version,
and the server now builds "out of the box" on more platforms. Other fixes
include:
* More dictionary updates
* Oracle support for radsqlrelay
* Security and portability fixes to rlm_otp
* Experimental module to store IP's in an SQL table.
* Miscellaneous bug fixes
* Updated dictionaries (as always),
* Extended Ascend "abinary" support for Juniper,
* Configurable "cipher_list" for EAP methods that use TLS,
* Additional checks on cert issuer validation for EAP methods that use TLS,
* SQL IODBC bug fixes,
* Updates to the LDAP module,
* Better catching of errors in the config files,
* Miscellaneous other fixes
In addition to this add an extra option to options.mk which is
"freeradius-simul-use". This will enable Simultaneous-Use and is
enabled by default. If you disable it freeradius can be built without
depending on the net-snmp package. Original idea from John Nemeth.
set OVERRIDE_DIRDEPTH to find any libtool scripts deeper in the WRKSRC
tree unless they're named something other than "libtool".
SHLIBTOOL_OVERRIDE generally doesn't need to be specified either -- just
define it to the empty list and shlibtool-override will look for libtool
scripts.
RECOMMENDED is removed. It becomes ABI_DEPENDS.
BUILDLINK_RECOMMENDED.foo becomes BUILDLINK_ABI_DEPENDS.foo.
BUILDLINK_DEPENDS.foo becomes BUILDLINK_API_DEPENDS.foo.
BUILDLINK_DEPENDS does not change.
IGNORE_RECOMMENDED (which defaulted to "no") becomes USE_ABI_DEPENDS
which defaults to "yes".
Added to obsolete.mk checking for IGNORE_RECOMMENDED.
I did not manually go through and fix any aesthetic tab/spacing issues.
I have tested the above patch on DragonFly building and packaging
subversion and pkglint and their many dependencies.
I have also tested USE_ABI_DEPENDS=no on my NetBSD workstation (where I
have used IGNORE_RECOMMENDED for a long time). I have been an active user
of IGNORE_RECOMMENDED since it was available.
As suggested, I removed the documentation sentences suggesting bumping for
"security" issues.
As discussed on tech-pkg.
I will commit to revbump, pkglint, pkg_install, createbuildlink separately.
Note that if you use wip, it will fail! I will commit to pkgsrc-wip
later (within day).
for libtool archives, remove the .a and .so entries. Bump revision.
Add DragonFly detection for shared libraries. Always try to find -lssl
with -lcrypto, unbreaking the test at least on DragonFly, but should
not harm elsewhere.
Use our libtool
Update to 1.1.1
Fixes security issue (DoS):
http://secunia.com/advisories/19300/
> Security fixes
> * Additional state checking in the EAP-MSCHAPv2 module.
> Bug found by Steffen Schuster.
>
> Feature improvements
> * More dictionary updates
> * Additional tests and fixes for Digest module from Phillipe Sultan.
> * Add new "phone" response mode to rlm_otp/cryptocard.
> * Put the eap sessions into a tree, so that looking them up is very
> fast, and no longer O(n) in the number of sessions.
> * Install the schema examples for a set of backends with the rest
> of the documentation.
> * Add support for xlat expansion of attributes from LDAP.
>
> Bug fixes
> * Fix rlm_perl crash. (closes: #348)
> * Fix handling of CoA-Request packets (close#344). Also correct
> name of CoA packets.
> * Fix an error on x86_64 machines when reading dictionaries.
> (closes: #312)
> * Fix compilation errors on FreeBSD and NetBSD because of rlm_otp
> module. (closes: #314#328)
> * Workaround Cisco bug in State attribute handling in rlm_otp.
> * Support LP64 for async mode in rlm_otp.
> * Fix libtool problems on Debian with rlm_eap_peap and rlm_eap_ttls
> modules. (closes: #75)
> * Make "use_tunneled_reply" work properly for PEAP.
> * Copy the whole string when getting a one-to-one-mapped attribute
> from LDAP (closes: #261)
> * Fix net-snmp's ucd-snmp compatibility mode.
> FreeRADIUS 1.1.0 ; $Date: 2006/01/04 05:55:19 $, urgency=low
> Feature improvements
> * rlm_ldap has "set_auth_type" configuration option, which should
> address some configuration problems when using it.
> * Fix MIT Kerberos bug
> * Modules can be load balanced, both in isolation and redundantly.
> See doc/load-balance.txt for more information.
> * rlm_perl is now marked "stable"
> * N-tier certificate patch from Mohammed Petiwala.
> * Copied dictionaries from the CVS head (many, many, more vendors)
> * Enabled support for weird VSA formats, like Lucent and Starent.
> * Support encrypted IP address and integers, for Juniper clients.
> * Add PEAP machine authentication support in module "rlm_mschap".
> * Support User-Password field encryption in digest mode.
> * rlm_x99_token has become rlm_otp (with lots of changes).
> * Add rlm_sqlcounter to the list of stable modules.
> * Read MySQL specific options in sections [freeradius] and [client]
> from file "my.cnf".
> * Support the ${Cisco-AVPair[n]} syntax.
> * Execute modules in {Pre,Post}-Proxy-Type stanzas.
> * Add new options to radclient to run stress tests on the server.
> * New module "rlm_sql_log" to postpone the storage of accounting data
> in a SQL database. See rlm_sql_log(5) manpage.
> * New program "radsqlrelay" which sends the SQL logfile according to
> the SQL server's capabilities.
>
> Bug fixes
> * 306 (HUP when built with threads, but executed with -s)
> * 285 (more attributes in dictionary.cisco.vpn3000)
> * rlm_digest has a number of bug fixes to authentication types.
> * Don't leak memory in module "rlm_sql".
> * Update the dictionaries, so that VALUEs with the same name,
> but different numbers, aren't allowed.
> * Queue the request before looking for available threads.
> * Don't free the check items after we received the proxy reply.
> * Expand config variables in included files, too.
> * Check the return value of accounting modules and don't proxy
> invalid requests.
> * In rlm_passwd, don't close a file stream more than once.
> * Fix format string errors in rlm_sql.c, spotted by Primoz Bratanic.
> * Walk the whole string in when escaping strings in rlm_ldap.
> * Include crypt.h if it is available so we get a prototype for crypt(),
> spotted by Konstantin Kubatkin.
> * Removed (for almost all uses) length restrictions on vendor names
> and VALUE names.
> * Don't leak memory when proxying an Access-Challenge response.
> * Make the sleep time user-defined, so radrelay can send more than
> 7 requests/s.
> * Fix a memory leak in rlm_checkval.
> * radclient doesn't resend countless times packets with invalid
> signature.
> * Fix segfault and mem leak in rlm_pam.
> Security Fixes
> * SQL injection attack in the module "rlm_sqlcounter".
> * Buffer overflows in the module "rlm_sqlcounter".
> * Expansion of variable %t may write 26 bytes beyond the buffer
> bound. Primoz Bratanic is credited with the discovery of these
> three bugs.
>
> Bug fixes
> * Don't de-reference a NULL pointer if the auth-type is unknown
> in the function rad_check_password().
> * Escape more characters in the LDAP queries.
> Bug found by Suse engineers.
> * In rlm_sql_unixodbc, don't call rad_malloc from sql_error(),
> it leaks memory.
> * Fix an off-by-one error in the module rlm_sql_unixodbc.
> Bug found by Suse engineers.
> * In rlm_sql, resize the buffer for the value of SQL-User-Name.
> * Initialize memory for a new SQL socket in the module rlm_sql.
> * Don't add too many attributes after running an external program.
> Bug found by Suse engineers.
> * Fix an off-by-one error in the function getthing().
> * snprintf() and vsnprintf() replacements were not compiled if
> the autoconf tests didn't find the functions.
> * Don't use vsprintf() anymore, but the replacement for vsnprintf()
> in libradius instead.
> * The function decode_attribute() may write beyond buffer bounds.
> Bug found by Suse engineers.
> * Fix a memset() in the function request_enqueue() which was
> begining at the wrong address. Bug found by Matthias Ruttman.
> * Fix an off-by-one error in the function xlat_copy().
> Bug found by Primoz Bratanic.
> * Fix other off-by-one errors in module "rlm_unix", too.
> Bug found by Allan Bazinet.
> * Fix a 2-byte over-run read in function rad_decode().
> * Update thread pool queue properly.
> * Autonconf tests try first any user-specified directory,
> otherwise they may pick up the wrong version.
> * Delete the autoconf tests for the libldap dependancies.
> * Install all the regular files under the "doc" directory.
> * Distinguish between exit code <0 (failure) and >0 (reject)
> in Exec-Program-Wait. Patch from Thor Spruyt.
> * Make Expiration work.
> * Clean up the code for opening a proxy socket.
> * When finding a realm to proxy to, if all are dead, wake them
> if wake_all_if_all_dead is true.
> * In radwho, print the NAS-Port as unsigned int.
> * Use extended regex instead of basic regex in rlm_attr_filter.
> * Catch the case where someone deletes a directory that rlm_detail
> is using.
> * Use the variable $(LDFLAGS) when linking a module.
> * Ignore the Stripped-User-Name when a realm has the "nostrip"
> directive.
> * Add support for NT-Password in rlm_pap.
> * In rlm_sqlcounter, use the time left to the next reset if it's
> inferior to the time left in the counter.
> * Calculate Message-Authenticator correctly for Accounting-Request
> and Accounting-Response. Bug found by Paolo Rotela.
> * Build on MAC OS X. Still need --disable-shared, though.
> * Fix bug #255 (crash with expired CRL's, etc.)
> * Fix quote removal of the values from a SQL database.
> * Reap the zombie process after a command run from "Exec-Program".
> * Allow to cancel proxy of accounting with "Proxy-To-Realm := LOCAL".
> * Don't copy VSA's to an Access-Reject packet.
a builtin Berkeley DB 1.8x can now be used with option "bdb -gdbm"; no
dbm support at all can be selected with "-gdbm".)
- Specify --with/--without exactly once per option.
- Merge postgresql support to a single option (pgsql), and correspondingly
use pgsql.buildlink3.mk to pick the builder's desired implementation.
This aligns freeradius with the rest of pkgsrc, wrt pgsql support.
around at either build-time or at run-time is:
USE_TOOLS+= perl # build-time
USE_TOOLS+= perl:run # run-time
Also remove some places where perl5/buildlink3.mk was being included
by a package Makefile, but all that the package wanted was the Perl
executable.
- The security issues mentioned in this update were incorporated
into patch-ak previously and a security advisory was already
made in regards to this.
> FreeRADIUS 1.0.4 ; Date: 2005/06/11 22:46:52, urgency=medium
>
> * Fix installation problem.
> * Increase a buffer size, so radrelay doesn't truncate values.
> * Updates in the documentation. Patches from Thor Spruyt.
>
> FreeRADIUS 1.0.3 ; Date: 2005/06/03 17:15:11, urgency=high
> Security Fixes
> * Always escape the strings in the SQL module.
> * Check buffer bound when input character needs escaping in
> the SQL module. Bug found by Primoz Bratanic.
>
> Bug fixes
> * Return EAP-Fail in Access-Reject, rather than an empty Access-Reject
> * Don't send Proxy-State from home server in TTLS.
> * Fixes for forking external programs, so the server doesn't
> suddenly stop processing requests, or stop forking programs.
> * radzap now works, but it's command-line options have changed
> completely, and it's a shell script.
> * radwho has updated command-line options, and no longer reads
> Unix "utmp" files.
> * Fix bug in calling checkrad script with NAS port > 9999999
> * Fix long-standing bug when both crypt and pthreads are in use
> * Don't SEGV when rlm_sql gets 'NULL' value from request.
> * Re-arrange code in radrelay to not duplicate accounting packets.
> * In rlm_attr_rewrite, change the value when the attribute type
> is different from string.
And always is defined as share/examples/rc.d
which was the default before.
This rc.d scripts are not automatically added to PLISTs now also.
So add to each corresponding PLIST as required.
This was discussed on tech-pkg in late January and late April.
Todo: remove the RCD_SCRIPTS_EXAMPLEDIR uses in MESSAGES and elsewhere
and remove the RCD_SCRIPTS_EXAMPLEDIR itself.
